It’s not just the likes of Sony, Talk Talk and LinkedIn who have fallen victim of cyber crime but most importantly the smaller organisations with restricted budgets.
Steve Knibbs, resident Cyber Security expert and head of Infrastructure Services at CoSector – University of London’s Computer Centre, has been asked the same questions by a number of concerned customers and education providers on how to tackle the high risk issue. Here he provides an overview of the subject, the risks hitting us every day and steps we can all take to reduce exposure to attacks.
Chances are, every organisation has been the victim of a cyber attack in one form or another. In 2015 a survey undertaken by the Department for Business, Innovation & Skills (BIS) published a disturbing statistic, that:
90% of large organisations reported suffering a security incident
Q. I haven’t been hit, so I am in the lucky 10%?
How confident are you, would you bet your salary on it? TrustWaves, a global security report published in 2015, stated that 98% of all tested web applications were vulnerable to attack and with online activity increasing, our digital security is now as important as remembering to lock the front door. This simply analogy hits the point home – you have to be security minded and protected. If it isn’t locked down, someone is likely to steal from you.
Q. So what? Most of them were probably a DDoS and the site went down, therefore we are safe.
Again, can you be sure? Often a DDoS attack (Distributed Denial of Service, denoting the intentional paralysing of a computer network by flooding it with data) is something to keep you preoccupied – call it a red herring. Whilst you or your technical team are busy dealing with the fallout from your site being down, the attacker is busy sifting through the data going completely undetected as your team is dealing with the DDoS attack.
Apart from DDoS attacks, which seem to be the buzz word at the moment, there are various other types of cyber attacks that may be happening without your knowledge, such as:
- SQL injection attacks on web applications
- XSS code-based vulnerabilities
- Client based viruses such as Cryptolocker and Ransomware
- Phishing and social engineering attacks.
The internet is a minefield of data that has been extracted from attacks outlined above, and companies that were targeted and breached have faced heavy fines from the ICO (Information Commissioner’s office), as well as massive reputational damage. Meanwhile the attackers are busy making money selling stolen information to the highest bidder.
Q. So what can I do to help protect my organisation?
As much as we want to be 100% secure, the parameters are too wide and continually evolving. Today nearly everyone owns an internet-connected device which increases the likelihood of attack, all it takes is just one weak point, be that human or a technical.
In cyber security terms, the best form of defence is preparation. You and your company should be prepared to face the challenges that a cyber attack could bring. You should have action plans in place so you can take immediate steps to minimise risk and exposure once an attack is detected. This can be done through specialist monitoring systems, without which you are unlikely to ever know you have been a victim of an attack, unless you are told or experience a DDoS.
Often people think the cost of procuring a monitoring and anti DDoS solutions as too expensive and may weigh up the risk of attack versus the cost of a system.
With this in mind, CoSector – University of London Computer Centre, developed a cost-effective solution to help. We have taken industry detection systems and developed a user-friendly graphical interface that allows you to see what is happening to your networks and systems. So without breaking the budget, it will allow you to detect and manage an attack when it happens.
Have you ever received an email that looks legitimate or was unexpected, maybe asking you to download a bill, pay money or do something quickly?
If you answered yes, then you have probably fallen victim to a phishing email.
What is phishing?
A phishing attack is the fraudulent sending of an email that pretends to be from a trustworthy source – your bank, for example. Emails will often require the user to click a link which will take you to a site that very convincingly pretends to be from the same trustworthy organisation. Once you reached this
site, it will probably ask you for your password, username or other personally sensitive data and when this kind of information is in the wrong hands, the impact can be devastating. When they have your information, they can piece together various elements to gain access to your financial or commercially sensitive information.
If the above isn’t scary enough, phishing attacks have now started to focus on embedding third-party applications (viruses) locally to gain control of your computer, device or network. The method, often referred to as ‘drive by’, involves the attacker sending an email, the user follows the link, the virus then auto installs and the attacker then gains access and control, often undetected.
Q. OK, so how does this affect my organisation?
Phishing attacks are a high risk to your organisation. Daily, there are around 156 million phishing emails sent, and whilst we think we are protected through standard security controls and awareness, 16 million of these emails make it to their intended recipient. Of these, 8 million emails are opened and 800,000 links are clicked. This volume happens on a daily basis! So in an organisation with 1,000 staff accounts, the likelihood is each of them will receive a phishing email, so you can soon see how your network could be compromised through a simple mistake by one
member of staff.
Q. But I haven’t seen anything, so am I safe?
You may believe your organisation is safe, however CoSector were recently asked to conduct a simulated phishing exercise with 1,000 staff at a client organisation. The company in question had run numerous awareness campaigns, conducted mandatory staff training and given advice via their intranet. When we ran the exercise, a staggering 15% of the staff clicked the link in the email which would have exposed the company, and gone undetected. Luckily for our client, this was a simulated attack and not a genuine one.
Q. Wow! OK, I see what you mean. So what can I do to protect my organisation?
Users of computer networks are the biggest risk to the integrity of your systems, they are effectively the weakest link. The best way to strengthen this
defence is by training your staff. Well trained, knowledgeable and cautious staff will dramatically reduce risk and help protect your environment from potential attacks. There is no better training than going through a drill or exposure to a simulated attack. You probably do this regularly for fire and emergency evacuation, so why not add this to your procedures to education staff.
Q. So, what can I do to help protect my data/information?
Raising awareness is the key, but also to understand the size of the problem you are facing within your organisations. CoSector recently launched a “phishing exercise service” which simulates a phishing attack as described above. We conduct the phishing exercise with either all or a proportion of your staff, then analyse the findings from the simulated attack and produce a report on the outcomes.
If you would like to speak with one of our team to learn more about our Cyber Phishing and Monitoring Service contact email@example.com or resister your details for latest deals and information on: